fix(waf): keep the WAF controller wired to tear down EnvoyExtensionPolicies on disable#4989
Open
electricjesus wants to merge 1 commit into
Open
fix(waf): keep the WAF controller wired to tear down EnvoyExtensionPolicies on disable#4989electricjesus wants to merge 1 commit into
electricjesus wants to merge 1 commit into
Conversation
…licies on disable Disabling Gateway WAF (GatewayAPI spec.extensions.waf.state: Disabled) removed the applicationlayer controller from kube-controllers ENABLED_CONTROLLERS and stripped its envoyextensionpolicies delete RBAC in the same reconcile that tore down the rest of the WAF surface. The controller never got the chance, or the permission, to delete the EnvoyExtensionPolicies it had generated, so the gateway kept enforcing WAF after WAF was turned off. That is the operator half of the EV-6751 ordering race. Gate the applicationlayer controller enablement and its WAF / Gateway-API / EEP RBAC on GatewayAPIPresent (the GatewayAPI CR exists) rather than on waf.state==Enabled. The controller now stays wired, with identical RBAC, whether WAF is enabled or disabled, so it can tear down its EEPs when disabled. A new WAF_GATEWAY_EXTENSION_ENABLED env tells the reconciler whether to program (enabled) or de-program (disabled). The active surface (WASM_* env, admission webhook, wasm image resolution, webhook NetworkPolicy) stays gated on waf.state==Enabled. Pairs with the calico-private reconciler change that reads WAF_GATEWAY_EXTENSION_ENABLED and tears down on disable. EV-6751
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The operator half of EV-6751. Disabling Gateway WAF (
GatewayAPIspec.extensions.waf.state: Disabled) dropped theapplicationlayercontroller from kube-controllersENABLED_CONTROLLERSand stripped itsenvoyextensionpolicies …deleteRBAC in the same reconcile that tore down the rest of the WAF surface. So the controller never got the chance, or the permission, to delete theEnvoyExtensionPolicyobjects it had generated. The gateway kept enforcing WAF after WAF was "off". That is the ordering race behind EV-6751: the operator removed the thing that was supposed to clean up, at the same moment it asked for cleanup.What changed
Gate the
applicationlayercontroller enablement and its WAF / Gateway-API /EnvoyExtensionPolicyRBAC on a newGatewayAPIPresent(theGatewayAPICR exists) rather than onwaf.state == Enabled.GatewayAPIPresentis a superset ofWAFGatewayExtensionEnabled— you can't enable WAF without the CR present, so in practice they move together on enable, butGatewayAPIPresentstays true through a disable.Result: the WAF controller stays wired, with identical RBAC, whether WAF is enabled or disabled, so it can tear down its EEPs when disabled. A new
WAF_GATEWAY_EXTENSION_ENABLEDenv on the kube-controllers Deployment tells the reconciler whether to program (enabled) or de-program (disabled).The active WAF surface stays gated on
waf.state == Enabled:WASM_*env vars, the admission webhook + its cert, wasm image resolution, and the webhook NetworkPolicy. Togglingwaf.statecauses no ClusterRole churn, since the WAF RBAC set is identical enabled vs disabled.Because the controller only watches Gateway API / Envoy Gateway CRDs when they exist, gating on
GatewayAPIPresentkeeps it off on clusters that never installed Gateway API (where those CRDs are absent). The toggle-disable path this fixes keeps Gateway API installed, so the CRDs the controller watches are present.Pairs with
calico-private https://github.com/tigera/calico-private/pull/12568 — the reconciler change that reads
WAF_GATEWAY_EXTENSION_ENABLEDand tears down on disable. This operator PR is inert without it, and it is inert without this (the reconciler never sees the disable signal, and gets torn down before it can clean up). Land them together.Deferred (follow-up)
A belt-and-suspenders operator-side final GC — delete leftover EEPs by label (
app.kubernetes.io/name=calico-waf) cluster-wide — for the hard-uninstall case where Gateway API itself is removed and no in-cluster controller can run. Not needed for the toggle-disable scenario this PR fixes; called out so it isn't lost.Test plan
go test ./pkg/render/kubecontrollers/— green (44 specs). New spec: WAF disabled but Gateway API present renders theapplicationlayercontroller,WAF_GATEWAY_EXTENSION_ENABLED=false, and theenvoyextensionpoliciesdelete RBAC, but noWASM_IMAGE/ webhook cert.GatewayAPIPresentalongsideWAFGatewayExtensionEnabled(the production invariant).gofmt+go vetclean; container pre-commit hook passed.Release Note